diff options
author | netblue30 <netblue30@protonmail.com> | 2022-06-18 07:20:46 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-06-18 07:20:46 -0400 |
commit | c7e4c8ed592fee7f1644152a23c3e1343b01b922 (patch) | |
tree | f924a9aadc1a6ec9ea3f8584f898d06fa8c5065f | |
parent | remving src/fgit (diff) | |
download | firejail-c7e4c8ed592fee7f1644152a23c3e1343b01b922.tar.gz firejail-c7e4c8ed592fee7f1644152a23c3e1343b01b922.tar.zst firejail-c7e4c8ed592fee7f1644152a23c3e1343b01b922.zip |
seccomp-log support in firejail.config
-rw-r--r-- | etc/firejail.config | 6 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 10 |
4 files changed, 17 insertions, 2 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 7dd5fa3db..7f40eb5ed 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -121,6 +121,12 @@ | |||
121 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) | 121 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) |
122 | # seccomp-error-action EPERM | 122 | # seccomp-error-action EPERM |
123 | 123 | ||
124 | # If seccomp subsystem in Linux kernel kills a program, a message is posted to syslog. | ||
125 | # Starting with Linux kernel version 4.14, it is possible to send seccomp violation messages | ||
126 | # even if the program is allowed to continue (see "seccomp-error-action EPERM" above). | ||
127 | # This logging feature is disabled by default in our implementation. | ||
128 | # seccomp-log no | ||
129 | |||
124 | # Enable or disable user namespace support, default enabled. | 130 | # Enable or disable user namespace support, default enabled. |
125 | # userns yes | 131 | # userns yes |
126 | 132 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 166f2945a..9548ecb5b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -60,6 +60,7 @@ int checkcfg(int val) { | |||
60 | cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; | 60 | cfg_val[CFG_BROWSER_ALLOW_DRM] = 0; |
61 | cfg_val[CFG_ALLOW_TRAY] = 0; | 61 | cfg_val[CFG_ALLOW_TRAY] = 0; |
62 | cfg_val[CFG_CHROOT] = 0; | 62 | cfg_val[CFG_CHROOT] = 0; |
63 | cfg_val[CFG_SECCOMP_LOG] = 0; | ||
63 | 64 | ||
64 | // open configuration file | 65 | // open configuration file |
65 | const char *fname = SYSCONFDIR "/firejail.config"; | 66 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -124,6 +125,7 @@ int checkcfg(int val) { | |||
124 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") | 125 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") |
125 | PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") | 126 | PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") |
126 | PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray") | 127 | PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray") |
128 | PARSE_YESNO(CFG_SECCOMP_LOG, "seccomp-log") | ||
127 | #undef PARSE_YESNO | 129 | #undef PARSE_YESNO |
128 | 130 | ||
129 | // netfilter | 131 | // netfilter |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7930778ca..19cbacc01 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -828,6 +828,7 @@ enum { | |||
828 | CFG_SECCOMP_ERROR_ACTION, | 828 | CFG_SECCOMP_ERROR_ACTION, |
829 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv | 829 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv |
830 | CFG_ALLOW_TRAY, | 830 | CFG_ALLOW_TRAY, |
831 | CFG_SECCOMP_LOG, | ||
831 | CFG_MAX // this should always be the last entry | 832 | CFG_MAX // this should always be the last entry |
832 | }; | 833 | }; |
833 | extern char *xephyr_screen; | 834 | extern char *xephyr_screen; |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index e8959f263..b8b4ec0d6 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -71,11 +71,17 @@ int seccomp_install_filters(void) { | |||
71 | assert(fl->fname); | 71 | assert(fl->fname); |
72 | if (arg_debug) | 72 | if (arg_debug) |
73 | printf("Installing %s seccomp filter\n", fl->fname); | 73 | printf("Installing %s seccomp filter\n", fl->fname); |
74 | int rv = 0; | ||
74 | #ifdef SECCOMP_FILTER_FLAG_LOG | 75 | #ifdef SECCOMP_FILTER_FLAG_LOG |
75 | if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog)) { | 76 | if (checkcfg(CFG_SECCOMP_LOG)) |
77 | rv = syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog); | ||
78 | else | ||
79 | rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog); | ||
76 | #else | 80 | #else |
77 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) { | 81 | rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog); |
78 | #endif | 82 | #endif |
83 | |||
84 | if (rv == -1) { | ||
79 | if (!err_printed) | 85 | if (!err_printed) |
80 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 86 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
81 | err_printed = 1; | 87 | err_printed = 1; |